By K Richard Douglas
Cybercrime cost Americans nearly $7 billion in 2021, substantially up from the $1.4 billion in losses in 2017. Microsoft reported an 1,100 percent increase in cyberattacks the week after the World Health Organization announced a global emergency because of COVID-19 in 2020. There are few people who have not been impacted.
Phishing scams led all types of Internet crimes in 2021; up nearly 40 percent. Cybercriminals have nearly perfected designing emails to resemble consumer companies, fooling unsuspecting victims. The criminal causes the victim to become an unknowing partner.
The victims of phishing scams and “non-payment” scams are most often people over the age of 50, who accounted for $3 billion of the 2021 losses. Those aged 60 and over filed 92,371 complaints in 2021 with the FBI.
Both personal email and business email accounts have been targets of cybercriminals. More than $2 billion was stolen in 2021 through business email accounts. The changes in the dynamics of the office; remote work and virtual meetings contributed to more online scams during the year.
It has become a routine feature of modern-day life for a consumer to get a notification that their personal information has been compromised in a breach or that their email or other information was discovered on the “dark web” by an identity theft protection service.
Consumers have had to adapt to two-factor authentication and password management software to help protect themselves. Yet, the opportunities for criminals to mount an attack, compromise confidential information or spy on someone unnoticed has only increased with the increased onboarding of more “things” owned by the average person.
The Internet of Things (IoT) has exploded and the average “smart home” has numerous consumer products connected to the Internet. This is in addition to home networks, desktop computers, laptops, tablets and phones.
As a business segment, health care has been particularly vulnerable and targeted by cybercriminals. Protected or personal health information (PHI) is a valuable commodity to cybercriminals who sell it over the dark web.
Millions of patients have been affected by this crime in recent years and it has cost health care organizations millions of dollars in compensation, penalty fees and reputation damage. Health care employees across the organization must be trained to recognize cybercrime and vulnerabilities. Every weakness in the system, including email, must be addressed as a point of exposure for ePHI.
Medical devices are exposed to vulnerabilities throughout their life cycle. Some contain vulnerabilities at the point of installation and others are exposed years later. Attention to any existing vulnerability, or any new weakness that is created because of legacy software or any other reason, is essential to protecting the entire network and ePHI.
The importance of buttoning up any weaknesses in the system aren’t only to prevent a data breach, but also because containing a breach can take time and expose more ePHI to hackers. Knowledge of network security protocols has become an important talent in the biomed toolbox. It has also resulted in newer hybrid positions designed to address these threats.
Upgrades are important. Routine patching should be a habit. If one day a month is designated for patching, this will ascertain that it happens frequently. Will the vendor be a partner during a data breach? This is a good pre-purchase question. Because imaging equipment contains an operating system, do you segregate these devices?
When purchasing new medical devices, it is best to know if the manufacturer is planning an upgrade a short time later.
Hacker’s Favorite Target
The challenges for medical devices in the health care environment increase exponentially every year as threats increase. Protection of PHI is fraught with the realities found within any equipment inventory.
With budget constraints, some organizations are holding onto legacy devices.
“Ideally, an organization would have a documented secure configuration for all devices deployed within their environment. This is achievable when the overwhelming majority of the inventory comes from a small number of manufacturers and the organization has standardized on a few models. However, the typical medical device inventory is composed of potentially hundreds of different manufacturer and model combinations. Each combination may require its own consideration which should occur during the intake process, but what happens after the install,” says Anthony Rubino, medical device network risk manager at Scripps Health in San Diego, California.
He says that there is some expectation the equipment was installed according to the secure configuration or solution design, but is anyone verifying this?
“A secure configuration may include aspects of the infrastructure in addition to the medical device configuration so it would require more than an HTM professional to perform this function,” Rubino says.
Any skipped steps during installation could provide an opportunity for hackers.
“A complete post-install verification of the secure configuration is time consuming and likely to be omitted. However, on occasion, unforeseen issues surface during install that cause a deviation from the secure configuration. Perhaps the medical device arrived without the latest operating system version or the dedicated VLAN is not routed through a firewall. Without a proper feedback process in place, the medical device may be improperly installed and potentially vulnerable,” Rubino says.
After installation, every device should be carefully watched for any deviation in expected functioning. Some devices need to remain as a stand-alone.
“For setting up the device in the environment, by carefully monitoring its network activity, setting policies to get alerts on when there is a change in that behavior, health systems can track misconfigurations, undesired changes in network topology that could affect the device and any other issues and quickly move to fix and remediate them,” says Shankar Somasundaram, CEO and founder at Asimily in Mountain View, California.
One of the leading vulnerabilities is unsupported legacy software that is found throughout the health care industry.
“Networked medical devices with unsupported operating systems pose one of the biggest cyber risks. Unfortunately, it has been my observation when talking to health systems all over the world that most have no idea what operating system any of their equipment is running. You can’t protect what you don’t know about, so the first step is to get an accurate inventory of what equipment is networked, what each device’s IP and MAC address is, whether it stores and/or transmits PHI, what operating system and upgrade version it’s running, and if it has antivirus software or a firewall, etcetera,” says Heidi Horn, MA, AAMIF, vice president, industry solutions at Nuvolo.
She says that many hospitals are running passive monitoring software that can collect this information off the network, but if it’s not feeding back into their CMMS and matching to each applicable device, there’s no context to the data, and so it doesn’t do you much good.
“To add to the confusion, if a threat is identified by your cyber software, but only the IP address is known, you will have no way of knowing what or where the device is or who supports it. Therefore, it’s important for this data to be available in your CMMS,” Horn says.
Somasundaram agrees and singles out obsolete or outdated software as a concern.
“Health systems are having to deal with medical devices that are not kept up with updates, new versions, etcetera. This to be expected, since the software life cycles are accelerating continuously while medical devices are used in the environments for longer periods of time as long as they are clinically viable. We have also seen cases where medical devices are not correctly configured in the network, and in some cases have been directly exposed to the network. In addition, as devices get de-commissioned improper disposal procedures mean ePHI could get exposed inadvertently,” he says.
Somasundaram says that the solution to the problem is not as complex as it seems. With the right approach, technology and processes; all of this can be addressed.
“First, for devices running outdated software and operating systems: Just because a device is running an outdated software does not mean that it is immediately a risk. A careful evaluation has to be done to understand whether there is a path to the device from an attacker. If there is a path, and if there is high impact of that device in the environment, then the attack vector can be mitigated by appropriate controls to ensure that the device can continue to be used as long as needed,” he says.
Rubino says that another problem to address is, even if the device was installed properly according to the approved secure configuration, aspects of an organization’s environment change over time.
“Perhaps the original secure configuration includes security controls that have become obsolete. Regular reviews of the secure configuration or solution design should be part of every device security program,” he says.
The Mobile Age
Focusing on cabled devices attached to a network isn’t enough. The reality of connected devices today means that dozens or even hundreds of mobile devices can be connected through access points within the health care environment. These can include phones, tablets or other devices used for clinical purposes. It can also mean a number of non-medical devices.
Mobile devices owned by the health care facility can also present a risk.
“While aging networked devices pose the biggest risk, aging mobile devices that store PHI and lack cyber protection and/or are not tethered, also pose a major risk. I know of many examples where someone stole a mobile device like an ECG machine that had patient data on it, and the hospital had to go through a whole OIG investigation and pay fines. So, again, it’s important to have an inventory of those devices and ensure they’re properly protected,” Horn says.
Some health care organizations have had a breach occur as a result of a cellphone. Personal device strategies might include devices supplied by the institution. Also, telehealth may introduce new vulnerabilities.
Know Your Inventory
Devices taken out of service pose a real risk as well. Knowledge of what devices may contain personal information, or simply being aware of all devices in inventory, are both important.
“Not properly decommissioning a device, and documenting its proper disposal, creates a huge risk for an organization. With the hospitals I have worked with over the years, on average, approximately four percent of devices due for a PM at any given time cannot be located and are ‘assumed’ to have been disposed of,” Horn says.
She says that HTM departments usually identify these devices in their CMMS as “lost” or “missing.”
“If any of those thousands of ‘lost’ devices stored PHI, and the hospital has no record of their proper disposal, that is a serious regulatory risk,” Horn adds.
The process for taking devices out of service should be well-documented.
“For de-commissioning, health systems need to follow a methodical process and carefully track which devices have ePHI, follow proper de-commissioning processes including ensuring they are cleaned carefully before disposing them,” Somasundaram says.
Newer biomeds often have the advantage of cybersecurity training as a standard element in training. All members of the biomed department need to receive some training in this area.
“As I reflect on the topic and title of this article, it occurs to me that aging devices and aging HTM technicians have one major thing in common when it comes to cybersecurity – when they entered the hospital for the first-time years ago, cybersecurity was not a major concern. Because of this, many aging devices, as well as aging technicians, are not prepared for the cyber threats that hospitals face today. Fortunately, these gaps in knowledge (for the techs) and security protocols (for the equipment) can be improved with a little bit of effort,” Horn says.
Mitigating risk requires managing the risk profile of every device throughout its life cycle; from pre-procurement to de-commissioning.
“Finally, health systems can also get ahead of the problem by ensuring they are evaluating devices at procurement and deploying them in a secure way. Being able to then understand different risk profiles for different configurations, understanding which ones to go with and pros and cons of each can go a long way in ensuring that the right devices are acquired and deployed correctly,” Somasundaram says.
